Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able
to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note:
Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-40460)
- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the
ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the
leaf parameters are configured with a resolver. With this configuration, an unauthenticated attacker can
send requests along with conditions beyond its control that may cause a heap-use-after-free error in the
NGINX worker process. This vulnerability may result in limited modification of data or the NGINX worker
process restarting. Note: Software versions which have reached End of Technical Support (EoTS) are not
evaluated. (CVE-2026-40701)
- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset,
source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured,
unauthenticated attackers can send requests that with conditions beyond the attackers' control to cause a
heap buffer over-read in the NGINX worker process, leading to limited disclosure of memory or a restart.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
(CVE-2026-42934)
- NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This
vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an
unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string
that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control
can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in
the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with
Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software
versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-42945)
- A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in
excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an
unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream
server may be able to read the memory of the NGINX worker process or restart it. Note: Software versions
which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-42946)
Solution
Update the nginx library and its related packages to version 1.28.3-r1 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:C
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 5/13/2026
Exploitable With
Core Impact